Tools of the Trade: Part 3by Carl Constantine
Welcome back! Today I'm going to take a look at some of the common tools that you can use on your own systems to spot holes, to look for potential problems, and tighten your grip on the system.
Last time, I took you through a brief introduction to
tcpdump and Tripwire. This time, we'll take a look at
syslog and last but not least,
Have you ever looked in your
/var/log directory and wondered, "Where'd all those log files come from?" Chances are they were created by
syslog, the system logging facility.
syslog actually consists of a couple different tools that were originally part of the BSD distributions.
syslog has been ported to Linux and many other Unix operating systems (Solaris, HP-UX, etc.) and keeps all the same functionality of the original program. In some cases, a few functions have been added but nothing has been removed. I would consider
syslog to be more of a "system" rather than a tool.
There are four parts to
syslogd daemon process, a
klogd daemon process, a programming interface
syslog.h, and a configuration file
/etc/syslog.conf which is the key to the whole system. The programming interface is used by many other programs, such as Tripwire, to log activity on your system. Unless you're writing a security tool, or want to incorporate
syslog in some other application you are writing, you won't use the programming interface.
The main crux of the
syslog system is the
/etc/syslog.conf file. It controls what logs are created and when. A separate utility that isn't part of
syslog (but maybe should be) called
logrotate will compress logs and create new ones on a daily basis or however long you want. The result is something that looks like this:
syslog's configuration file is relatively simple to read and modify as you see fit. Let's take a quick look.